Behavior of Packet Counts for Network Intrusion Detection

Behavior of Packet Counts for Network Intrusion Detection Statistical Behavior of Packet Counts for Network Intrusion Detection Abstract— Intrusions and attacks have become a very serious problem in network world. This paper presents a statistical characterization of packet counts that can be used for network intrusion detection. The main idea is based on detecting any suspicious behavior in computer networks depending on the comparison between the correlation results of control and data planes in the presence and absence of attacks using histogram analysis. Signal processing tools such as median filtering, moving average filtering, and local variance estimators are exploited to help in developing network anomaly detection approaches. Therefore, detecting dissimilarity can indicate an abnormal behavior. Keywords— Anomaly detection, statistics, Network Intrusion Detection Systems (NIDS). I. INTRODUCTION NOWADAYS, the use of the Internet has become important and it increased considerably. Internet use has spread to daily work, business, education, entertainment and etc. Computer networks bring us a lot of benefits, such as computing and better performance, but they also bring risks. So, security systems have to be built to face those risks. One of those systems is the network intrusion detection system (NIDS), which is designed to alert the network administrators to the presence of an attack. Recently, intrusions are classified as serious Internet security threats due to the mass service disruption they result in, the unsafe use of the Internet, and the difficulty to defend against them [1]. Some attacks aim to consume large amount of resources to prevent legitimate users from receiving satisfactory performance. Network Intrusion Detection System is a tool to detect the attacks that attempt to compromise the availability, integrity or confidentiality of the network. It has been started to be used frequently as one component of an effective layered security model for an organization. This system monitors network traffic continuously for malicious activity, and raise alerts when they detect attacks. Existing intrusion detection systems can be classified into signature detection systems/ misuse and anomaly detection systems [2-3]. Signature detection systems rely on a database of a predefined set of attack signatures. They detect attacks by comparing the observed patterns of the network traffic with the database. If the attack is listed in the database, then it can be successfully detected and identified [4]. On the other hand, anomaly detection systems are designed to compare the parameters of the normal network traffic to the observed unusual traffic [5]. In such cases, the detected deviation from the normal traffic is declared as an attack. Such methods can detect new kinds of network attacks. In this paper, we aim to studding the intrusion and attacks behavior by monitoring the changes in the traffic of the network. Detecting dissimilarity between the correlation results of control and data planes can indicate an abnormal behavior [6]. This paper is organized as follows. Section II includes the anomaly detection techniques. Section III, includes the suggested statistical analysis. Section IV, includes the simulation results. Section V includes the concluding remarks. II. Anomaly detection techniques A number of studies have focused on developing network anomaly detection methods. For example, Haystack [7] is one of the statistical anomaly-based intrusion detection systems. In this system, a range of values is set to indicate the normal status of each pre-defined feature. If the values measured during a session lie outside the normal range, then the score of a subject is raised. Haystack was designed to work offline and that was considered as one of its drawbacks [8]. Statistical Packet Anomaly Detection Engine (SPADE) [9] is also one of the statistical anomaly-based intrusion detection systems. It uses the concept of an anomaly score to detect sport scans. A simple frequency domain based approach is used to calculate the anomaly score of a packet. The fewer the packets, the higher the anomaly score. One drawback of the SPADE is its high false alarm rate. In this paper, we concentrate on the statistical analysis of the correlation sequence between packet and control counts in computer networks [10]. The suggested approach is based on distinguishing histograms of the correlation sequences of normal and abnormal traffics. The correlation sequences are processed either directly or after pre-processing with differentiator, median filtering, or local variance estimation. III. Statistics Histogram Analysis Histogram is defined as a graphical representation of the distribution of data, a histogram is a function that counts the number of observations that fall into each of the disjoint categories, Thus, if we let k be the total number of bins and n be the total number of observations, the histogram mi meets the following conditions [7]: (1) Median Filtering The median filtering is based on sorting the data and selecting is the middle number. It is used to exclude impulsive values in the correlation sequences. Mean The mean is the average of a set of numbers (2) Variance The variance is a measure of how items are dispersed about their mean. The variance of a whole population is given by the equation [11] (3) where M is the local mean. IV. Proposed Approach The proposed approach can be summarized in the following steps: Network traffic packet traces are typically provided in raw tcpdump format [12]. Therefore, it is necessary to preprocess packets to extract the features in the format needed to carry out further analysis [6]. Extracting a count features, from the packet header information . Computing the similarity between the two traffic groups; control and data by using cross-correlation function. Applying some sort of pre-processing on the correlation sequence with median filtering, moving average, differentiator, and local variance estimation. Histogram estimation of the original correlation sequences and the pre-processed sequences. Creating databases for the histograms with attacks and without attacks. Setting thresholds based on these histograms for discrimination. V. experimental results We have used the cross-correlation results between the control and data packets when there is no attacks and when there is an attack for one day of KSU traffic. Fig. 1 shows the correlation coefficients between the control and data packets when there is no an attack. Fig 2 shows the correlation coefficients when there is an attack applied. Fig. 3 shows the correlation coefficients histogram distribution for normal and abnormal traffic. Fig. 4 shows the histogram distribution of the correlation coefficient median for normal and abnormal traffic. Fig. 5 shows the histogram distribution of correlation coefficients mean for normal and abnormal traffic. Fig. 6 shows the histogram distribution of the correlation coefficients local variance for normal and abnormal traffic. The experimental results reveal that when there is an attack, a noticeable difference in histogram distribution is found. Fig. 1 : Correlation coefficients for normal traffic. Fig. 2 : Correlation coefficients for abnormal traffic. Fig. 3 : Correlation coefficients histogram distribution for normal and abnormal traffic. Fig. 4 : Histogram of the correlation coefficients median for normal and abnormal traffic. Fig. 5 : Histogram of the correlation coefficients local mean for normal and abnormal traffic. Fig. 6 : Histogram of the correlation coefficients local variance for normal and abnormal traffic. From these figures, we can set a probability threshold for each case, based on which, a decision of normal or abnormal traffic can be taken. VI. Conclusion The paper presented a statistical study for the correlation coefficients between packet and control planes of network traffic. Simulation experiments have shown that there is a difference in histogram distribution between normal and abnormal traffics. With the aid of signal processing tools like median filtering, local mean filtering and local variance filtering, we can set a group of thresholds to distinguish between normal and abnormal traffics.